Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix: xml: Prevent use-after-free in cib_process_xpath()

  • Loading branch information...
commit 48932af70e17faf587ef2799a20337f2184ac44e 1 parent 28d1549
@beekhof authored
Showing with 10 additions and 1 deletion.
  1. +10 −1 lib/common/xml.c
View
11 lib/common/xml.c
@@ -2904,7 +2904,7 @@ freeXpathObject(xmlXPathObjectPtr xpathObj)
}
for(lpc = 0; lpc < max; lpc++) {
- if (xpathObj->nodesetval->nodeTab[lpc]->type != XML_NAMESPACE_DECL) {
+ if (xpathObj->nodesetval->nodeTab[lpc] && xpathObj->nodesetval->nodeTab[lpc]->type != XML_NAMESPACE_DECL) {
xpathObj->nodesetval->nodeTab[lpc] = NULL;
}
}
@@ -2925,11 +2925,20 @@ getXpathResult(xmlXPathObjectPtr xpathObj, int index)
if (index >= max) {
crm_err("Requested index %d of only %d items", index, max);
return NULL;
+
+ } else if(xpathObj->nodesetval->nodeTab[index] == NULL) {
+ /* Previously requested */
+ return NULL;
}
match = xpathObj->nodesetval->nodeTab[index];
CRM_CHECK(match != NULL, return NULL);
+ if (xpathObj->nodesetval->nodeTab[index]->type != XML_NAMESPACE_DECL) {
+ /* See the comment for freeXpathObject() */
+ xpathObj->nodesetval->nodeTab[index] = NULL;
+ }
+
if (match->type == XML_DOCUMENT_NODE) {
/* Will happen if section = '/' */
match = match->children;
Please sign in to comment.
Something went wrong with that request. Please try again.